Business Situation

Intuit is the global financial technology platform that powers prosperity for more than 100 million consumers and businesses around the world using TurboTax, Credit Karma, QuickBooks and Mailchimp. The company’s long- held commitment to Design for Delight principles has been a key ingredient of its success in fueling innovation across its products, services and customer touchpoints to create bold new AI and data-driven personalized experiences at scale.

To execute on a user-centric focus, Intuit’s customer authentication products team, led by Rakan Khalid, Intuit Group Product Manager, Identity, justifies and prioritizes development of new authentication capabilities based on user research, security trends and technology advancements in the industry. This has led to an overarching strategy that emphasizes secure and convenient authentication experiences on its platform.

Intuit saw the potential of the FIDO (Fast ID Online) Alliance early on and began a multi-year FIDO journey in 2018 to reduce customer friction and enhance security, at lower operating costs.

Business Challenges

Intuit set out to address several challenges when evolving its customer authentication strategy to serve a growing customer base across a diverse set of product offerings and user personas:

• Customers experienced friction when logging on, which negatively impacted key business metrics.

• Sign-in times (time to successful sign-in) were getting longer, and calls into customer care for account sign-in-related issues were increasing.
• Product teams were challenged to balance ease-of-use and convenience for users with appropriate levels of security.

Business Objectives

The team set out to achieve the following business objectives for customer authentication across Intuit’s product portfolio:

Results and Benefits

1. Deliver a delightful and seamless customer authentication experience that “just works” across multiple devices.
2. Push the envelope on customer authentication technology to further enhance the security posture of Intuit.
3. Build a resilient, scalable, durable customer authentication capability for its current and future business needs.

OVERVIEW

“As an early adopter of FIDO, we’ve seen
significant business benefits and are completely on board with continuing to leverage the latest FIDO innovations with our partner, Nok Nok.”

Rakan Khalid, Intuit Group Product Manager, Identity

Intuit was able to reduce customer friction, resulting in authentication success rates of 95% to 97% and 70% faster sign-in speeds.

FIDO Authentication Deployment – Measured Steps

Intuit implemented a FIDO-based customer authentication solution in line with the FIDO Alliance’s founding members’ goals. FIDO protocols are based on an asymmetric cryptographic authentication framework designed to enhance security, provide a better user experience (compared to traditional passwords) and reduce cost and complexity.

Although FIDO is an open standard, the expertise required to code and deploy a scalable FIDO solution for millions of consumer and small business customers led Intuit to license a FIDO authentication platform.

Intuit selected the Nok Nok^TM S3 Authentication Suite (S3 Suite) for its advanced FIDO features and capabilities; optional on-prem deployment model; and speed, scale, and resilience, which was validated by Nok Nok enterprise customers.

Intuit’s authentication team placed a high priority on working with a FIDO leader with deep and relevant experience in customer authentication and therefore well-equipped to keep pace with industry progress with this fast- evolving technology.

Build vs. Buy: Intuit recognized that the company would benefit from the expertise of a vendor with experience working with other major companies on its authentication journey, and enjoy access to innovative product enhancements along the way.

Progressive Deployment: Intuit opted to deploy Nok Nok’s customer authentication solution across multiple apps in a controlled and measurable manner:

• Intuit’s authentication team initially tested Nok Nok’s FIDO passwordless customer authentication on the mobile iOS version of an Intuit product with a small customer base.

• Over the next few months, the team rolled out Nok Nok’s FIDO passwordless solution on mobile iOS and Android platforms for a broader customer base on multiple Intuit products.

• The team added FIDO as an option to Intuit’s passwordless customer onboarding flow, which improved onboarding conversion rates and reduced subsequent sign-in times.
• Over the last 5 years, Intuit has grown its total FIDO registrations to over 77 million.

Authentication Solution Delivers on Business Objectives

Intuit has been able to achieve all of its business objectives, while simultaneously addressing new use cases for a growing customer base:

1. Delightful Customer Sign-in – FIDO-based multi-factor authentication (MFA) for customer sign-in dramatically improves and simplifies the user sign-in experience because it’s completed in a single user step. This reduces the need for a multi-step authentication process (e.g., password, texting one-time passcodes). Using FIDO, Intuit users are presented with a seamless, passwordless flow using device-based platform authenticators, such as biometrics with which they’re already comfortable.

Today, more than 85% of all customer authentications on Intuit’s mobile apps are now done using FIDO

2. Enhanced Customer Security – When FIDO authentication is used, it eliminates the passing of passwords and one-time tokens between apps and services, which can reduce the risk of interception attacks.
3. Global Scale – Since Nok Nok’s S3 platform is trusted by some of the largest banks, telcos and fintech brands across five continents and has been proven to scale across demanding customer environments, it’s given Intuit the confidence that it will continue to scale with the company’s future growth to match uptime and authentication speeds.

Business Results

By deploying a passwordless solution for customer authentication, Intuit was able to reduce customer friction, thereby reducing operating expenses. Users who adopted the FIDO passwordless authentication option experienced authentication success rates of 95% to 97% when compared to a baseline of 80% for legacy multi-factor authentication and 70% faster sign-in speeds over non-FIDO sign-ins.

Looking Ahead

Over the past several years, Intuit has experienced the power of FIDO customer authentication for its consumer and small business customers, and validated its benefits with its product, technology, security, user experience and customer care teams. Looking ahead, the company intends to explore multi-device passkey technology as the next frontier on its authentication journey.

The post Intuit’s ROI from Passwordless Customer Authentication appeared first on FIDO Alliance.

Corporate overview and challenge

As the “CASE” trend is gaining ground in the automotive industry, Toyota Motor Corporation, a leader and evolving company in the industry, is changing its model from a “car company” to a “mobility company”. In the area of “C: Connected,” Toyota is working to realize its vision of “Mobility for All – Freedom and Enjoyment of Mobility for All People,” and is developing a number of new services, including a “digital key” that allows the use of smartphones as keys, as well as a website and smartphone applications, for a wide range of users.

The “TOYOTA/LEXUS common ID” (“common ID”), a customer authentication service for safe and comfortable use of various services provided by Toyota, plays an important role in the provision of a series of services. The 5 million TOYOTA common IDs are linked to about 40 different services, and the multiple smartphone applications provided to customers required the input of IDs/passwords for each application.

FIDO 2 deployment

Toyota Motor Corporation has decided to deploy FIDO authentication as an optional authentication function for the “Common ID,” the major advantage of which is that by registering FIDO authentication credentials in advance, users will no longer need to go through the process of entering their ID/password each time they use each smartphone application.

Prior to deploying FIDO authentication, Toyota Motor Corporation had been using one-time password authentication and backup code authentication as a means of multi-factor authentication for common IDs. The main reason for choosing FIDO as one of the new options for multi-factor authentication this time was the consideration of the robust security and usability of FIDO authentication. By utilizing FIDO, which is a multi-factor authentication that involves possession using biometrics on the smartphone used in everyday life, a high level of security was ensured, and it also contributed to an improved user experience.

NRI Secure Technologies, Inc. (NRI Secure), which manages common IDs, has an authentication infrastructure called “Uni-ID Libra” that is compliant with FIDO authentication, and we requested their cooperation for implementation.

Until the introduction of FIDO authentication for iOS and Android devices, the differences in behavior depending on the OS (whether or not Discoverable Credential (formerly known as Resident Key) is supported, explicit user interaction during key registration is required for Safari for iOS, etc.) The issue was the impact on the UX.In the end, we were able to absorb the differences in UX by modifying the authentication web screen, and this led to a solution.

With this implementation, Toyota Motor Corporation has also focused on the importance of designing the life cycle of FIDO authenticators together. In providing services, it is necessary to prepare not only for authentication, but also for registration, device switching, and account recovery in case of loss. If other companies that provide services to consumers consider FIDO authentication, they should have a method that can maintain security strength when switching devices or recovering accounts.

OVERVIEW
Toyota Motor Corporation, headquartered in Toyota City, Japan, is Japan’s largest automobile manufacturer.

C (Connected):
IoT for automobiles

A (Autonomous):
Automated driving

S (Shared & Services):
From ownership to sharing

E (Electric):
Electric vehicles

“With the expansion of the connected strategy, the number of operations that can be carried out on smartphone applications and websites has been increasing. While convenient, they can also lead to accidents if misused, so more security measures are required. We believe that FIDO authentication will contribute as one piece to continue providing convenient and safe mobility services to our customers.”

Finally, Masatoshi Hayashi, Toyota Motor Corporation’s Connected Company Value Chain Infrastructure Development Department, who spoke with us about this case study, made the following comments.

(*) To obtain a common ID and register FIDO credentials, please visit https://id.toyota

The post Toyota Motor Corporation turns to FIDO Authentication for Enhanced Login in Japan appeared first on FIDO Alliance.

Why PNC Opted for FIDO

Security is of critical importance to PNC and its customers. PNC’s approach to provide digital services is founded on a strong commitment to privacy protection to those who use its services. Multi-factor authentication is a key component to protecting customer identities and data, and FIDO’s standard helped provide a roadmap to implementation. 

As a result, PNC has been able to provide customers authentication options that are easy to use but still afford consistency in terms of protection. This translates into high-quality identity assurance to verify and validate that the right customer is enrolled and minimize the risk of impersonation. 

“We needed to find a way to create a user-friendly mechanism to improve customer security without creating a burdensome process that required so many steps that it dissuaded customers from enrolling or engaging,” said Susan Koski, Chief Information Security Officer at PNC.

Benefits Realized

By using FIDO standards, PNC has been able to manage the authentication experience in such a way that it leverages the security features of a customer’s device, applying industry best practices for designing this identity protection mechanism. Ultimately, FIDO standards have been a core component to PNC’s cybersecurity strategy to minimize the risk of authorized access to customer credentials.

“We continue to identify ways to improve security for our customers, ultimately reducing the reliance on passwords and other phishable credentials from our ecosystem is a critical aspect to protecting our customers” Koski said.

OVERVIEW

PNC Financial Services is a coast-to-coast franchise with an extensive retail branch network and a presence in the country’s 30 largest markets. As one of the largest diversified financial services institutions in the United States and across four strategic international offices, PNC provides retail banking, corporate and institutional banking, and asset management. In a rapidly changing financial industry, PNC is focused on providing control and functionality that customers want – in a secure environment. To advance this goal, PNC has implemented FIDO authentication in specific use cases to help reduce security risks and improve user experience.

PNC Bank, National Association, is a member of The PNC Financial Services Group, Inc. (NYSE: PNC). PNC is one of the largest diversified financial services institutions in the United States, organized around its customers and communities for strong relationships and local delivery of retail and business banking including a full range of lending products; specialized services for corporations and government entities, including corporate banking, real estate finance and asset-based lending; wealth management and asset management. For information about PNC, visit www.pnc.com.

The post PNC Uses FIDO Authentication to Reduce Security Risks, Improve User Experience appeared first on FIDO Alliance.

THE CHALLENGE:
Improving Employee Access with Zero Trust

When Cloudflare started the company provided its employees with access to internal applications via a virtual private network (VPN). Access to some, but not all applications behind the VPN required two factor authentication, typically done with One Time Passcodes (OTP) generated by applications like Authy or Google Authenticator.

Cloudflare realized that it needed a more secure and scalable approach than VPN and started a process of moving toward a Zero Trust architecture utilizing Cloudflare Access.

From OTP to unphishable FIDO authentication

As part of its migration to a zero trust architecture, starting in 2018 Cloudflare began its usage of FIDO based security keys.

The goal behind using FIDO2 was to provide strong authentication that would enable Cloudflare’s zero trust model.

“I wanted something that was unphishable,” said Derek Pitts, director of enterprise security at Cloudflare. “If we were going to go through all the trouble of redoing a lot of our identity and access management infrastructure, I wanted it to be future proof and resilient.”

Overcoming barriers to adoption with selective enforcement

Cloudflare’s path to adoption of FIDO security keys was not an entirely straight path. Initially there were concerns around account recovery and replacement of lost physical security keys.

Another challenge was the fact that Cloudflare’s users were used to using OTP technology with Google Authenticator, or Authy. Managing user change aversion and education were key components in the switch from OTP to FIDO security keys. This led Cloudflare to a selective enforcement approach, so as not to force change on users that could potentially lock them out.

What Cloudflare did was to integrate FIDO into its access identity aware proxy that internal users used to access internal sites. Instead of immediately requiring FIDO for all internal sites, Cloudflare initially only required the use of security keys on three of its sites. Selective enforcement for FIDO security keys were activated on July 20, 2020, which is the day Twitter fell victim to a social engineering attack.

“That day was mayhem and we wanted to ensure
that didn’t happen to us,” Pitts said.

Pitts said that by requiring the use of FIDO2/WebAuthn for its three more most sensitive internal apps, adoption grew as it gave employees a training ground to get familiar with the technology. In 2021, Cloudflare made the switch to requiring FIDO security keys across its network.

OVERVIEW

Founded in 2010, Cloudflare is one of the world’s leading internet content delivery and security platforms.

Overview
Cloudflare is one of the world’s most deployed security and content delivery platforms. Cloudflare’s products include a range of services including web performance, application network, zero trust and developer services.

Cloudflare’s network handles over 36 million HTTP requests per second and blocks over 124 billion cyber attacks a day. The Cloudflare network has over 200 points of presence around the globe.

“Selective enforcement ended up being a huge deal for us,” Pitts said. “That was one of the biggest forcing functions and things that made this project successful.”

Read Cloudflare’s blog, “How Cloudflare implemented hardware keys with FIDO2 and Zero Trust to prevent phishing,” to learn more about their FIDO Authentication implementation.

LESSONS LEARNED:
Take the small wins where you can

From the outset, the movement toward strong authentication had top down support from Cloudflare’s CEO, CIO and CSO. Pitts said that having the executive buy in was important as it helped his team to push through when it ran into issues.

Cloudflare has a large and complex network architecture and it didn’t move to WebAuth/FIDO2 overnight. Pitts said that it was a multi-year effort that was successful on the foundation of a series of incremental small wins that helped to prove that the technology can work to improve security.

The small wins approach incorporated Cloudflare’s selective enforcement approach. Pitts said that it’s important to have a training ground that will allow users to try out security keys and get familiar with the approach.

The post Cloudflare embraces FIDO to help its own security appeared first on FIDO Alliance.

Why passwordless?

As Yahoo! JAPAN offers e-commerce and other money-related services, there’s a risk of significant damage to users in the event of unauthorized access or account loss.

The most common attacks related to passwords were password list attacks and phishing scams. One of the reasons why password list attacks are common and effective is many people’s habit of using the same password for multiple applications and websites.

The following figures are the results of a survey conducted by Yahoo! JAPAN.

Overview

Yahoo! JAPAN is one of the largest media companies in Japan, providing services such as search, news, e-commerce, and e-mail. Over 50 million users log in to Yahoo! JAPAN services every month. Over the years, there were many attacks on user accounts and issues that led to lost account access. Most of these issues were related to password usage for authentication. With recent advances in authentication technology, Yahoo! JAPAN has decided to move from password-based to passwordless authentication.

Yahoo! JAPAN’s passwordless initiatives

Yahoo! JAPAN is taking a number of steps to promote passwordless authentication, which can be broadly divided into three categories:

1. Provide an alternative means of authentication to passwords.
2. Password deactivation.
3. Passwordless account registration.

The first two initiatives aimed at existing users, while passwordless registration is aimed at new users.

1. Providing an alternative means of authentication to passwords

Yahoo! JAPAN offers the following alternatives to passwords.

1. SMS authentication
2. FIDO with WebAuthn

In addition, we also offer authentication methods such as e-mail authentication, password combined with SMS OTP (one time password), and password combined with email OTP.

Important

Yahoo! JAPAN restricts their service to phone carriers operating inside Japan and prohibits VoIP SMS.

SMS authentication

SMS authentication is a system which allows a registered user to receive a six-digit authentication code through SMS. Once the user receives the SMS, they can enter the authentication code in the app or website.

Apple has long allowed iOS to read SMS messages and suggest authentication codes from the text body. Recently, it’s become possible to use suggestions by specifying “one-time-code” in the autocomplete attribute of the input element. Chrome on Android, Windows, and Mac can provide the same experience using the WebOTP API.

For example:

<form>
  <input type="text" id="code" autocomplete="one-time-code"/>
  <button type="submit">sign in</button>
</form>

if ('OTPCredential' in window) {
  const input = document.getElementById('code');
  if (!input) return;
  const ac = new AbortController();
  const form = input.closest('form');
  if (form) {
    form.addEventListener('submit', e => {
      ac.abort();
    });
  }
  navigator.credentials.get({
    otp: { transport:['sms'] },
    signal: ac.signal
  }).then(otp => {
    input.value = otp.code;
  }).catch(err => {
    console.log(err);
  });
}

Both approaches are designed to prevent phishing by including the domain in the SMS body and providing suggestions only for the specified domain.

For more information about the WebOTP API and autocomplete="one-time-code", check out SMS OTP form best practices.

FIDO with WebAuthn

FIDO with WebAuthn uses a hardware authenticator to generate a public key cipher pair and prove possession. When a smartphone is used as the authenticator, it can be combined with biometric authentication (such as fingerprint sensors or facial recognition) to perform one-step two-factor authentication. In this case, only the signature and the success indication from the biometric authentication are sent to the server, so there is no risk of biometric data theft.

The following diagram shows the server-client configuration for FIDO. The client authenticator authenticates the user with biometrics and signs the result using public key cryptography. The private key used to create the signature is securely stored in a TEE (Trusted Execution Environment) or similar location. A service provider that uses FIDO is called an RP (relying party).

For more information, read authentication guidelines from the FIDO Alliance.

Yahoo! JAPAN supports FIDO on Android (mobile app and web), iOS (mobile app and web), Windows (Edge, Chrome, Firefox), and macOS (Safari, Chrome). As a consumer service, FIDO can be used on almost any device, which makes it a good option for promoting passwordless authentication.

Operating System	Support for FIDO
Android	Apps, Browser (Chrome)
iOS	Apps (iOS14 or later), Browser (Safari 14 or later)
Windows	Browser (Edge, Chrome, Firefox)
Mac (Big Sur or later)	Browser (Safari, Chrome)

Yahoo! JAPAN recommends that users register for FIDO with WebAuthn, if they’ve not already authenticated through other means. When a user needs to log in with the same device, they can quickly authenticate using a biometric sensor.

Users must set up FIDO authentication with all devices they use to log in to Yahoo! JAPAN.

To promote passwordless authentication and be considerate of users who are transitioning away from passwords, we provide multiple means of authentication. This means that different users can have different authentication method settings, and the authentication methods they can use may differ from browser to browser. We believe it’s a better experience if users log in using the same authentication method each time.

To meet these requirements, it’s necessary to track previous authentication methods and link this information to the client by storing it in the form of cookies, etc. We can then analyze how different browsers and applications are used for authentication. The user is asked to provide appropriate authentication based on the user’s settings, the previous authentication methods used, and the minimum level of authentication required.

2. Password deactivation

Yahoo! JAPAN asks users to set up an alternative authentication method and then disable their password so that it cannot be used. In addition to setting up alternative authentication, disabling password authentication (therefore making it impossible to sign in with only a password) helps protect users from list-based attacks.

We’ve taken the following steps to encourage users to disable their passwords.

• Promoting alternative authentication methods when users reset their passwords.
• Encouraging users to set up easy-to-use authentication methods (such as FIDO) and disable passwords for situations that require frequent authentication.
• Urging users to disable their passwords before using high-risk services, such as e-commerce payments.

If a user forgets their password, they can run an account recovery. Previously this involved a password reset. Now, users can choose to set up a different authentication method, and we encourage them to do so.

3. Passwordless account registration

New users can create password-free Yahoo! JAPAN accounts. Users are first required to register with an SMS authentication. Once they’ve logged in, we encourage the user to set up FIDO authentication.

Since FIDO is a per-device setting, it can be difficult to recover an account, should the device become inoperable. Therefore, we require users to keep their phone number registered, even after they’ve set up additional authentication.

Key challenges for passwordless authentication

Passwords rely on human memory and are device-independent. On the other hand, the authentication methods introduced thus far in our passwordless initiative are device-dependent. This poses several challenges.

When multiple devices are used, there are some issues related to usability:

• When using SMS authentication to log in from a PC, users must check their mobile phone for incoming SMS messages. This may be inconvenient, as it requires the user’s phone to be available and easy to access at any time.
• With FIDO, especially with platform authenticators, a user with multiple devices will be unable to authenticate on unregistered devices. Registration must be completed for each device they intend to use.

FIDO authentication is tied to specific devices, which requires they remain in the user’s possession and active.

• If the service contract is canceled, it will no longer be possible to send SMS messages to the registered phone number.
• FIDO stores private keys on a specific device. If the device is lost, those keys are unusable.

Yahoo! JAPAN is taking various steps to address these problems.

The most important solution is to encourage users to set up multiple authentication methods. This provides alternative account access when devices are lost. Since FIDO keys are device-dependent, it is also good practice to register FIDO private keys on multiple devices.

Alternatively, users can use the WebOTP API to pass SMS verification codes from an Android phone to Chrome on a PC.

Apple recently announced the passkeys feature. Apple uses iCloud Keychain to share the private key (stored on the device) among devices that are signed in with the same Apple ID, which eliminates the need for registration for each device. The FIDO Alliance recognizes the importance of account recovery issues and has published a white paper.

We believe that addressing these issues will become even more important as passwordless authentication spreads.

Promoting passwordless authentication

Yahoo! JAPAN has been working on these passwordless initiatives since 2015. This began with the acquisition of FIDO server certification in May 2015, followed by the introduction of SMS authentication, a password deactivation feature, and FIDO support for each device.

Today, more than 30 million monthly active users have already disabled their passwords and are using non-password authentication methods. Yahoo! JAPAN’s support for FIDO started with Chrome on Android, and now more than 10 million users have set up FIDO authentication.

As a result of Yahoo! JAPAN’s initiatives, the percentage of inquiries involving forgotten login IDs or passwords has decreased by 25% compared to the period when the number of such inquiries was at its highest, and we have also been able to confirm that unauthorized access has declined as a result of the increase in the number of passwordless accounts.

Since FIDO is so easy to set up, it has a particularly high conversion rate. In fact, Yahoo! JAPAN has found that FIDO has a higher CVR than SMS authentication.

FIDO has a higher success rate than SMS authentication, and faster average and median authentication times. As for passwords, some groups have short authentication times, and we suspect that this is due to the browser’s autocomplete="current-password".

The greatest difficulty for offering passwordless accounts is not the addition of authentication methods, but popularizing the use of authenticators. If the experience of using a passwordless service is not user-friendly, the transition will not be easy.

We believe that to achieve improved security we must first improve usability, which will require unique innovations for each service.

Conclusion

Password authentication is risky in terms of security, and it also poses challenges in terms of usability. Now that technologies supporting non-password authentication, such as WebOTP API and FIDO, are more widely available, it’s time to start working toward passwordless authentication.

At Yahoo! JAPAN, taking this approach has had a definite effect on both usability and security. However, many users are still using passwords, so we will continue to encourage more users to switch to passwordless authentication methods. We will also continue improving our products to optimize the user experience for passwordless authentication methods.

View the Yahoo! JAPAN’s Case Study PDF document here.

Source: https://web.dev/yahoo-japan-identity-case-study

The post Yahoo! JAPAN’s password-free authentication reduced inquiries by 25%, sped up sign-in time by 2.6x appeared first on FIDO Alliance.

The Challenge:

At the Authenticate 2021 event, Jay Leslie, CIO of the Cambridge Housing Authority, recounted that his organization was the victim of spear phishing attack and he was looking for a way to help provide a more secure approach to user account authentication.

To help improve its security posture, the CHA was initially looking for a method of multi-factor authentication (MFA) to better secure access to the agency’s information resources. 

CHA had a number of key requirements for its MFA adoption. One of the requirements was that the MFA method should not require a phone authenticator app, as the CHA doesn’t issue company mobile phones broadly. Additionally, there was some resistance to using personal devices for work by CHA staff. 

Another primary requirement was that the MFA could not require an additional object for users and IT to keep track of, such as hardware authenticator keys.

The Road to FIDO: Enabling a Better User Experience

CHA considered a number of different approaches before settling on FIDO Authentication.

CHA’s users have HID for physical access to CHA offices and an initial idea was to use the smart cards for MFA. The specific HID cards used by CHA however are older and couldn’t be reused for access to computer resources.

While researching multi-factor authentication options, CHA came across the FIDO Alliance website. CHA realized that FIDO Authentication could be supported within its existing environment with a lot of the organization’s existing processes and infrastructure.

Further investigation led CHA to realize that simple convenient multi-factor authentication was too narrow a goal and that FIDO adoption offered the opportunity for something much greater.

FIDO offered CHA the chance to revolutionize the user experience for its staff. With FIDO, not only could secure Windows authentication be achieved, but by leveraging WebAuthn and SAML single sign on, it also helps to enable secure, seamless passwordless authentication to every major system and application used at the agency.

Overview

The Cambridge Housing Authority (CHA) helps to provide rental assistance and affordable long-term rental housing to low income residents of Cambridge, Mass. The CHA uses IT throughout its organization to help onboard residents into public housing and has limited IT staff.

Convenient, Efficient and More Secure

“A 6-digit PIN that doesn’t need to be changed periodically is far more convenient to remember and type than a long password. I have found it very easy and efficient to use. The IT department assures me it’s more secure, too.” — John Filip, CFO, Cambridge Housing Authority

Why FIDO Standards Matter

For CHA, choosing a standards based approach was a critical factor for multi-factor authentication. 

With a small IT staff and limited resources, choosing a technology approach that will stand the test of time is an important factor.  

A standards-based approach to strong authentication allows CHA to benefit from industry efforts to utilize a solution that has broad and growing support. A standards based approach with FIDO can be supported for years to come and is a better option than CHA going it alone to cobble together a kludge that’s just good enough today, but that may be left behind in a year or two.

The post Cambridge Housing Authority’s Road to FIDO appeared first on FIDO Alliance.

The Road to FIDO: Weighing PSD2-compliant options

Customer authentication procedures have become more complex in the EU due to the introduction of PSD2 and strong customer authentication (SCA). Under the regulation, processing via mobile devices guarantees compliance with the stricter requirements, while offering a better payment experience for consumers at the same time.

While many opted to use SMS OTPs, PLUSCARD prioritized security and usability from the beginning of their journey by initially opting for a proprietary mobile app in combination with biometrics. This met their needs for mobile-based users, but left a gap for customers who preferred or only had access to computers. To fill that gap, PLUSCARD concluded that FIDO2 Security Keys not only met regulations, but they weren’t tied to possession of a mobile device and excelled in both security and usability.

The post PLUSCARD uses FIDO as Innovative Alternative to App-based Payment Authentication appeared first on FIDO Alliance.

Yahoo Japan Corporation is an internet company offering more than 100 services, including search engine, auction, news, weather, sport, email and shopping to the more than 51 million active users on its platform.

For Yahoo! JAPAN, the act of signing in is the entry point to all of its services. This makes it critical that the experience at that entry point is a positive one for all users. At the same time, it’s equally critical that every user’s personal information is well protected.

To find the right balance between convenience and security, Yahoo! JAPAN turned to FIDO Authentication.

From Early Member to Early Adopter

Yahoo! JAPAN was one of the earliest members of the FIDO Alliance, joining in April 2014. In its role as a member, executives from Yahoo! JAPAN participated in user authentication specifications development, particularly the FIDO2 standards, and best practices for FIDO adoption for consumers via the Alliance’s Consumer Deployment Working Group. Yahoo! JAPAN was appointed to the FIDO Alliance board of directors in 2019.

During this time of actively contributing to the FIDO Alliance, Yahoo! JAPAN was evaluating FIDO for its own services. Yahoo! JAPAN had been offering SMS one-time passcodes for two-factor authentication but they weren’t quick, secure or easy enough for their users. By taking a standards-based approach with FIDO, specifically the FIDO2 standards, Yahoo! JAPAN learned it could provide strong authentication in a very simple way via on-device biometrics on billions of supported mobile, desktop and laptop devices.

Yahoo! JAPAN’s journey with FIDO deployment began in 2018 when the company became the first in Japan to certify a FIDO2 server, a necessary component to delivering FIDO Authentication to its users. After extensive internal testing and piloting, Yahoo! JAPAN unveiled its first deployment on Android Chrome in October 2018, the first deployment by a relying party. Today, the company now offers FIDO Authentication on Android and iOS both in the browser and for native applications (see figure 1 for the deployment journey). Next up, Yahoo! JAPAN plans to offer FIDO Authentication on desktop and laptop PCs.

Simultaneously with its FIDO deployment, Yahoo! JAPAN began offering its users the opportunity to disable passwords entirely, and register new accounts without having to establish a password.

For Yahoo! JAPAN users that have opted in to FIDO, sign in is very simple
(see figure 2):

1. The user inputs their user ID and clicks next
2. Their device prompts them for their biometric, such a fingerprint
3. The user presents their biometrics and is successful signed in

OVERVIEW

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy.

The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second- factor device or pressing a button.

For its deployment, Yahoo! JAPAN leveraged FIDO2 standards with biometric authenticators.

“Password disablement is the end goal for us for the overall security and usability of our platform, and we see FIDO as a key factor in helping us get there faster,” — Yumi Ashida, product manager at Yahoo! JAPAN

Yahoo! JAPAN also values its membership in the FIDO Alliance for its role in helping to easing deployment and increasing adoption. Membership provides a platform for the company to provide direct feedback to other stakeholders including the operating system platform providers and work directly with them on overcoming challenges they face. And, it allows them to work with other service providers working on deployments to share experiences and best practices.

“For others deploying FIDO Authentication in the consumer environment, it’s important to understand the time and resources that it will require. But considering the meaningful impact that FIDO brings — it’s well worth it,” — Yumi Ashida, product manager at Yahoo! JAPAN

Realizing the Benefits of FIDO

For users of FIDO to access Yahoo! JAPAN’s services, their sign in time has decreased dramatically — by 37% compared to other login methods. ”Because signing in is the entry point to all of our services, quicker and more successful sign ins means our users can access our services that more quickly — this makes a hugely positive impact on our users’ overall experience on our platform,” said Yumi Ashida, product manager at Yahoo! JAPAN.

To increase adoption and get more users to experience these benefits, Yahoo! JAPAN leverages many tactics, including email promotion and pop up notifications at login to invite users to enroll with FIDO. Key to this strategy is conveying the benefits of FIDO Authentication, including faster sign ins, more security and the ability to remove the password from the login flow. At the same time, Yahoo! JAPAN is continuously working to ensure its user experience with FIDO is optimized.

The post Yahoo! JAPAN turns to FIDO Authentication for Enhanced Login appeared first on FIDO Alliance.

The post eBay’s Journey to Passwordless with FIDO appeared first on FIDO Alliance.

To make it easier and faster for patients throughout England to securely access multiple digital health and social care services, the National Health Service (NHS) created NHS login, an authentication and identity verification service based on OpenID Connect that allows the public to access NHS resources with a single login. NHS login can be used to securely access confidential health and care information through apps and websites that display the NHS login button.

The NHS App, which provides simple and secure access to a range of NHS services such as booking medical appointments and ordering repeat prescriptions on iOS and Android, was the first service to use NHS login to identify and verify users. NHS login and the NHS App were initially rolled out in tandem, which created a natural opportunity for the two programmes to work closely and gather initial user feedback.

With NHS login and the NHS App, the NHS was challenged with delivering secure, userfriendly multifactor authentication mechanisms which met the standards and guidelines set for public services in a short timeframe. The NHS turned to FIDO Authentication to solve the challenge.

CHALLENGE
Compliant, User-Friendly Login

Due to the sensitive nature of the information provided by the NHS App, security is of utmost importance. As such, users had to use a two-factor authentication (2FA) method when logging into the app, which required both a password and an SMS onetime passcode (OTP). It quickly became evident that the method of authentication was too cumbersome for users and became a real barrier to adoption. The NHS realized an alternative, password-free login method was needed to simplify everyday access for users.

This posed a challenge for the NHS Digital team that created NHS login and the NHS App: Not only did the new solution need to meet the security standards and guidelines set for public services, it had to be done on a very tight deadline due to a ministerial-level commitment.

THE ROAD TO FIDO:
The NHS’s Evaluation Process for NHS login & NHS App

A fundamental requirement of NHS login and NHS App is a nationally agreed-upon approach to identity management for health and care, conformant with identity assurance principles endorsed by the U.K. government. NHS Digital decided that to meet these standards, biometric login would be the alternative login method for the applications. Since NHS login was already using OpenID Connect Authorisation Code Flow protocol – an open standard and decentralized authentication protocol – for user authentication, any platform used to develop biometric login would need to place great emphasis on developing a platform with open and scalable standards.

The NHS login team looked at a number of platforms that could meet their needs, and measured each on six criteria including:

1. Open, scalable standards

2. Public key cryptography

3. Biometric information stored on the user’s device, not the NHS or medical provider’s servers

4. Support for Android and iOS mobile platforms

5. Market/sector agnostic

6. Used by well-established applications and organizations

The NHS login team’s research revealed that FIDO Authentication, specifically the FIDO UAF protocol from FIDO Alliance, met all of the above criteria. They found that using FIDO in combination with the OpenID Connect Authorisation Code Flow would help NHS login to enable their partners to offer an enhanced login experience to their patients through device-based biometric authentication.

OVERVIEW

The FIDO protocols, including FIDO UAF and FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at login, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second- factor device or pressing a button.

The Solution
NHS Digital decided that biometric authentication would best address its needs and, following a search of platforms that complied with their requirements, FIDO UAF from the FIDO Alliance was found to best fulfill the criteria, including open and scalable standards and support for mobile browsers.

The Results
NHS App with the option for biometric authentication login has a user base of approximately 1.2 million and is growing at an average rate of 32,000 new users per week. The number of SMS OTPs that NHS Digital has needed to send to users has dropped by nearly two-thirds, to about 1.5 per user per month down from about four per user per month, which represents a significant cost savings for the organisation.

Inside the FIDO protocols

The FIDO protocols, including FIDO UAF, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometric information never leaves the user’s device. This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as fingerprint or facial biometrics.

“FIDO biometrics has enabled users to use device-based authentication making access to NHS services using an NHS login even easier. We continually receive positive feedback regarding the speed and straightforwardness of accessing health and care websites and apps using fingerprint and facial recognition.”

– Melissa Ruscoe, Programme Head at NHS login

The post National Health Service uses FIDO Authentication for Enhanced Login appeared first on FIDO Alliance.

SBI Sumishin Net Bank is an Internet-focused bank jointly established in 2007 by SBI Holdings and Sumitomo Mitsui Trust Bank. In keeping with their aim to be recognized for innovation, the bank deployed FIDO Authentication in July 2020. We had an interview with the bank about the details of their deployment.

Q. Describe your service and how it’s using FIDO Authentication.

We have incorporated  FIDO-compliant authentication into our  existing “SBI Sumishin Net Bank” mobile application. Now, a single application is available to provide both banking and authentication functions to our customers. This eliminates the need for our customers to enter passwords and verification codes for each transaction. Instead, they can simply log in to the SBI Sumishin Net Bank App with biometric authentication. Even when transactions are made from a PC or other non-mobile application environments, the application will confirm and approve the transaction details before they are executed, preventing unauthorized transfers. Furthermore, when using the login approval function, only the registered smartphone can remove any control, which prevents unauthorized logins.

Q. What FIDO specification(s) did you implement? 

We have deployed a solution based on FIDO UAF, which uses biometrics (fingerprint and facial recognition) and PIN as the authentication methods.

Q. What other approaches did you consider before choosing FIDO? 

We looked at continuing with the existing smartphone application “Smart Authentication,” which is a separate application the customer would have to authenticate logins and bank transactions. However, we saw it as difficult to operate two applications separately and saw it as a burden for our customers to have to use two separate applications just to bank with us.

Q. Why did you choose FIDO authentication over other options? What did you identify as advantages of implementing FIDO?

Although there are various types of authentication methods available, the fact that FIDO Authentication is a global standard developed by a global consortium FIDO Alliance, and that we have seen is increasingly being deployed in Japan and globally – were two factors that made it very appealing to us. 

Q. Why did you decide on a standards-based approach? 

There are two main reasons why we chose to take a FIDO standards-based approach.

First, FIDO Authentication provides stronger security. FIDO Authentication enables safe exchange of authentication results over the network, and the credential is stored only on the device that performs the authentication (in our case, the smartphone) and does not need to be transmitted over the network or stored on the server side. 

Second, FIDO improves convenience for our customers. By incorporating authentication into our existing banking app, we are making it possible to complete both banking and authentication functions in a single app, enabling smooth transactions without having to enter passwords or other information.

Q. What steps were involved in your roll out of FIDO Authentication? Did you work with a partner? 

We implemented the FIDO-compliant “SaAT Pokepass Authentication Service” provided by Net Move Corporation (“Net Move”), a wholly owned subsidiary of SBI Sumishin Net Bank. The new authentication function “Smart Authentication NEO” was deployed by incorporating the client SDK for this service into the bank application.

Q. What other data points can you share that show the impact FIDO authentication has had?

On July 31, 2020, we launched a new authentication feature, “Smart Authentication NEO.” On the quantitative side, the number of new registered customers has reached approximately 100,000 in just three weeks since its launch, and we expect this number to increase further in the future.

On the qualitative side, many customers have commented on the convenience of being able to use a single app for both banking and authentication functions.

Q. What advice would you give to other organizations considering rolling out FIDO authentication? 

Again, our company’s FIDO authentication uses Net Move’s “SaAT Pokepass Authentication Service.” By collaborating with Net Move, we were able to deployed the new authentication function “Smart Authentication NEO” in a short period of time.

In addition to FIDO authentication, Net Move already has an installed at more than 100 financial institutions, including “SaAT Netizen,” an anti-fraudulent remittance service, and we believe that Net Move can help to solve these issues.

Q. What role do you see FIDO Authentication playing for your company in the future?

The “Smart Authentication” service will be discontinued after January 2021, and we will move exclusively to the FIDO-enabled “Smart Authentication Neo” app. We see moving to the FIDO-enabled app  as the key authentication function will further allow us to provide secure and convenient experiences for our customers.

Q. If you are able, please provide a quote from an executive regarding this deployment and the impact FIDO has had for your organization.

Quote from the project manager of SBI Sumishin Net Bank:

“Our goal is to revolutionize financial services and make society more comfortable and convenient by utilizing the most advanced technology with a customer-centric approach. Security is an extremely important factor in achieving this goal, and we believe that the introduction of FIDO will make a significant contribution.”

The post Deploying FIDO in Japan: An Interview with SBI Sumishin Net Bank appeared first on FIDO Alliance.

Florida-based First Citrus Bank provides premier independent community banking services to individuals, professionals, executives and entrepreneurs. With 70 employees in five locations, First Citrus is ranked in the top five Tampa Bay community banks by asset size.

Struggling with costs, complexities and security issues with passwords, First Citrus sought to increase security and usability for its employees logging into its various systems on shared Windows workstations. After testing several alternative authentication methods, First Citrus turned to FIDO Authentication as the best option to provide strong cryptographic authentication with a much easier passwordless user experience.

Eliminating the password

First Citrus sought to move away from passwords as the primary form of authentication for its employees logging on to its systems on shared Windows workstations. Between costly resets and a negative impact on employee productivity, First Citrus’s main objective was to eliminate the need for its employees to have to enter a password while providing secure user authentication.

The bank evaluated several desktop authentication options including smart cards and time-based one-time passwords (TOTPs), but found that these options added friction for their employees’ logins, creating a poor user experience while not providing enough additional security. All of the options they reviewed also still required password entry.

Taking a standards-based approach to passwordless authentication

First Citrus then looked to FIDO Authentication, a standards-based approach to strong authentication. The interoperability that comes with taking a standards-based approach fit well into First Citrus’s broader security strategy.

FIDO standards use on-device public key cryptography techniques to provide stronger authentication over passwords and other forms of strong authentication; user credentials are never shared and never leave the user’s device. The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometric information never leaves the user’s device. This is all balanced with a simple user experience that meets passwordless use cases with native biometrics on the user’s device.

It was important to First Citrus to choose an end-to-end FIDO Certified solution in order to roll out FIDO Authentication to all of its access points with assured security and interoperability. The bank chose to work with HYPR, which offers FIDO Certified platforms for FIDO UAF (mobile-based passwordless authentication) and FIDO2 (mobile and desktop passwordless and second-factor authentication) standards. The mixture of these FIDO specifications allows First Citrus to cover mobile and desktop requirements for user authentication.

Simpler, mobile-initiated authentication for all employees

First Citrus deployed HYPR’s FIDO platform to provide truly passwordless authentication for all of its employees logging into Windows 7 and 10 workstations. Deployment was straightforward: within an hour, the bank was able to have computers leveraging FIDO Authentication. After a several-month evaluation period, First Citrus rolled out the FIDO solution to all of its employees in February 2019.

For First Citrus employees, logging in is now mobile-initiated. They simply use the native biometrics on their mobile device (iOS or Android) to log in to any First Citrus desktop workstation, with far higher FIDO security and privacy over the old password model. Employee feedback has been positive; the chief financial officer has joked, “I’ve completely forgotten my password!” HYPR’s FIDO Certified platform has now become a core component of First Citrus’s internal authentication strategy, with the possibility of extending FIDO authentication options to its online banking customers in the future.

View the First Citrus Bank Case Study PDF document here.

OVERVIEW

First Citrus is ranked in the top five Tampa Bay community banks by asset size, with 70 employees in five locations.

Objective
First Citrus sought to eliminate the need for employees to have to enter a password while providing secure user authentication.

Solution
First Citrus implemented HYPR’s FIDO Certified authentication platform, which provides simpler and secure mobile-initiated biometric logins for all employees to Windows workstations.

What’s Next
FIDO and HYPR have now become core components of First Citrus’s authentication strategy, with the possibility of extending FIDO authentication options to its online banking customers in the future.

“I’ve completely
forgotten my
password!“

The post First Citrus Bank Eliminates the Password for Employees appeared first on FIDO Alliance.

Can you tell us about KDDI?

KDDI is a telecommunication service provider in Japan, offering both mobile and fixed-line communications. KDDI has a well-established base of over 40 million customers and offers mobile services and shopping through its “au” brand. KDDI is also expanding its services into the “Life Design” business, which includes e-commerce, fintech, nationwide electric power utility services, entertainment and education. With a 60-year history, KDDI is now focusing on creating smart infrastructure through IoT technologies and open innovation with partners and start-up companies in diverse industries. KDDI is accelerating the global growth of its telecommunications consumer business, with operations in Myanmar and Mongolia, and in the global ICT business with the “TELEHOUSE” brand. KDDI (TYO:9433) is listed on the Tokyo stock exchange. 

How are you using FIDO?

Today we are using FIDO authentication in a few different areas. The first, just launched on April 14, 2020, is our “au ID” platform, which is our service for our users to identify themselves and access our services; we have a huge number of active users. FIDO is one of the authentication methods available for “au ID.” We offer FIDO on web browsers and Android initially, and plan to support iOS in the future.

The other area where we offer FIDO is our Software-as-a-Service (SaaS) solution. This solution enables online service providers to deploy FIDO2 easily. As a network operator, we have experiences and the FIDO solution we offer is no exception.

It’s important that we can support online service providers along their customers’ entire authentication journey: onboarding, authentication and account recovery. So, we also offer customer identification services to fit in with our FIDO offering. There’s a gap in the customer journey with FIDO, which is account recovery. How do you recover your account if you lose your FIDO authenticator? We aim to fill this gap by providing identity verification of our large customer base. Thus, we’re supporting online service providers along the entire customer journey.

What specification(s) did you implement?

We implemented a FIDO2 server with biometric authentication.

Why did you choose FIDO standards? What were the challenges you were trying to overcome? 

There are several reasons why we chose FIDO. The first is security; FIDO is the best way to counter phishing attacks. The second is user experience; biometric authentication is much easier than passwords. The third is interoperability. With other approaches, developers have to implement authentication logic for each platform – iOS, Android and web. We wanted to design a “write once, work everywhere” system. FIDO helped us achieve that goal.   

Why did you choose FIDO authentication over other options? 

For us, the most important thing about adopting FIDO was that it was a web (W3C) standard. Again, this helped us to achieve our goal of “write once, work everywhere.”

What steps were involved in your roll out of FIDO authentication? Did you work with a partner?

We developed and implemented FIDO authenticator and server from scratch. We worked closely with the FIDO Japan Working Group through the development; I would like to thank them for their support. It was very exciting to work with them. 

What role do you see FIDO authentication playing for your company in the future?

We believe that FIDO will accelerate our identity business even further. It will also enhance the security of our internal systems.

What advice would you give to other organizations considering rolling out FIDO authentication?

Talk to other stakeholders; companies, such as KDDI, are offering turnkey solutions! 

Thank you for talking with us! Where can we learn more about KDDI?

You can find KDDI on the web at http://www.kddi.com/english/.

The post Deploying FIDO in Japan: An Interview with KDDI appeared first on FIDO Alliance.

Security

One of the options for MFA GSA examined was SMS one-time passwords (SMS OTPs).

They found that SMS OTPs were a popular MFA option for users. Although convenient, SMS OTPs introduce avoidable security risks to users; this includes malware inadvertently downloaded onto a mobile phone that could monitor the user’s text messages. Additionally, GSA experienced a lot of issues with phishing, especially targeting accounts that were controlling bank information and personally identifiable information, including the user’s date of birth and Social Security Number. For login.gov, GSA wanted to offer a secure alternative to SMS OTPs that could prevent phishing, and began evaluation of FIDO2 authentication standards.

FIDO2 is a set of strong authentication standards that enables users to leverage common devices like on-device biometrics and FIDO security keys to authenticate to online services with phishing-resistant cryptographic security. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

After reviewing the FIDO Alliance’s FIDO2 standards, GSA found that FIDO2’s phishing resistance made it the most appropriate approach to address its security challenges.

INSIDE FIDO STANDARDS

The FIDO protocols, including the FIDO2 specifications, use standard public key cryptography techniques instead of shared secrets to provide stronger authentication and protection from phishing and channel attacks.

The protocols are also designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services, and biometrics, when used, never leave the user’s device.

This is all balanced with a user-friendly and secure user experience through a simple action at log in, such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second-factor device or pressing a button.

Reduce Costs

In addition to security concerns, GSA found SMS OTPs quite expensive to manage. Without alternatives, those expenses would continue to escalate as more and more users are onboarded to login.gov.

With FIDO2, GSA could leverage a “bring your own FIDO security key” approach, making it more cost effective. The federal government does not sell or provision authenticators, but enables the use of authenticators previously provisioned.

Compliance

NIST’s Digital Identity Guidelines – Authentication and Lifecycle Management (Special Publication 800-63B) is the guidance that federal agencies must adhere to as it pertains to authenticating users to its networks. The 2017 guidance reclassified SMS OTPs as a “restricted” authentication technology. This means that agencies need to offer users at least one alternate authenticator that is not restricted. They also must provide users with meaningful information on the security risks of the restricted authenticator (SMS OTP) and availability of alternatives. FIDO standards provide a secure alternative that meets NIST guidelines for high assurance strong authentication.

FIDO2 Development

Prior to development, GSA utilized a Google developer resource on enabling strong authentication with FIDO2 WebAuthn on developers.google.com. To assist with server-side processing, GSA leveraged a WebAuthn-ruby gem on GitHub. That greatly benefited and expedited the development including backend processing. In addition, GSA used the W3C reference material for further clarification on any issues encountered.

All of GSA’s code for login.gov is on open source and it’s on GitHub under a repo 18F/ identity-idp. Because it is a standards-based authentication technology, implementing support for FIDO2 was extremely fast. It took a small team of three developers just two weeks to develop and move into production.

Deployment and User Experience with FIDO2

GSA rolled out authentication with FIDO2 in September 2018. login.gov supports FIDO2 through the use of FIDO security keys and built-in FIDO authenticators like Windows Hello biometrics. For users, these are all referred to as “security keys” during user onboarding. The process for setting up FIDO2 at login.gov works like this:

1. When a user is creating a login.gov account, they enter their email address and create a password. Login.gov will first send an auto-generated email for the new user to confirm their email address.
2. Then, they are instructed to select and set up MFA from a menu of options, including SMS OTP, FIDO2 security keys, and backup codes.
3. To set up FIDO2, the user will select the “Security Key” option.
4. The user can create a nickname for their security key.
5. They are prompted to either insert a hardware security key into their computer and touch it or, if their device has a supported built-in authenticator, be prompted to use it by looking into the camera or touching a biometric sensor (for two examples).
6. The user is presented with a “success screen” and then they can access their login.gov account.

Many users take advantage of the “Remember Device” option when signing in. For example, if the user is using a laptop and checks “Remember Device,” they will not need MFA on that laptop again for another 30 days.

Support of Non-FIDO2 Security Keys

During testing, the development team discovered that several hardware security keys were failing. They found that the majority of the failures were because they were not FIDO2-compliant. After considering to add support for nonFIDO2 security keys, the decision was made not to support them because it would have considerable time and effort than simply implementing WebAuthn. GSA plans to revisit support for non-FIDO2 keys at a later date. A listing of FIDO2 Certified authenticators can be found on the FIDO Alliance website.

FIDO User Adoption: On the Upswing

Initially, users registered about 2,000 new FIDO2 keys per month, which equates to about 0.2% of new users. In analyzing authentication statistics, GSA found that more users were choosing mobile/SMS OTP options for MFA more often. In May 2019, GSA began requiring new users to register a second MFA option to increase awareness and adoption of FIDO2. That change increased the number of new FIDO2 authenticators to 17,000 per month. This number increased to 27,000 just in the month of June and the adoption rate increased to about 3% of all new users, representing a significant increase from initial rollout. GSA is considering the same requirement for existing users, but is looking at doing so without hindering the user experience.

As of June 2019, login.gov onboards about one million new users per month and that is expected to grow as agencies continue to add additional services. GSA has high expectations for the use of built-in authenticators to increase adoption, because it does not require users to acquire a separate FIDO security key.

Future Improvements for Increased Adoption

One of the challenges login.gov has faced is user education. Specifically, informing users that they have the option to enroll with FIDO2 and educating them about what FIDO is and how to set it up. It can be a challenge to accomplish this without confusing the set of users who are not able to set up FIDO, either because they don’t have a FIDO2 security key or don’t have a built-in authenticator.

Another area that GSA is working on is the onboarding process and the use of the term “security key” for all FIDO authenticators. User research is currently underway as of September 2019 around prompting users to set-up whatever their device is named rather using the security key language. Preliminary findings indicate that it would help adoption to keep the security key option for users who have the physical security key and then adding additional options for users with built-in authenticators i.e. “use your Android phone,” or “use your Windows Hello device,” etc. This will help give users clarity around their options so they will be more likely to set it up.

Another enhancement under consideration is a feature called “MFA Checkup.” This is to address the real-world problem that occurs when users change their smartphone and lose their backup codes. Login.gov would display a screen informing the user of the methods available or provide the user with the option to replace a method.

Ultimately, GSA sees these actions to streamline user communications and make user authentication options more clear as key to increasing user adoption and help both GSA and end users realize the full security, usability and cost reduction benefits that FIDO Authentication provides. As one of the first governments to offer FIDO Authentication for login to e-government services, GSA strives to be a model for other governments to follow.

View the U.S. General Services Administration’s Rollout of FIDO2 on login.gov PDF here.

The post U.S. General Services Administration’s Rollout of FIDO2 on login.gov appeared first on FIDO Alliance.

NTT DOCOMO, INC. is Japan’s largest mobile network operator with over 78 million subscriptions — and is responsible for protecting the data of each one.

To provide access to DOCOMO-branded services, partner services, and carrier billing payments, DOCOMO long allowed customers to log in and authenticate using passwords including a four-digit password. This created a number of challenges — particularly because passwords are frustrating to use, and it is difficult to have to remember multiple passwords.

DOCOMO needed to find a solution that may resolve their password-related issues.

The Best of Both Worlds with FIDO Authentication
After reviewing the different approaches to authentication available, DOCOMO settled on the FIDO authentication model as the best strategy for solving the current and future authentication needs of its customers. It found that by deploying cross-platform FIDOenabled, privacy-respecting biometric authentication, they could have a solution that is simultaneously more secure and convenient. It is worth noting that such biometric information never leaves their devices for their privacy.

FIDO-based biometric authentication relies on FIDO standards that use public key cryptography to protect users against a variety of attacks including phishing, brute force and man-in-the-middle attacks. Users register their on-device biometric with any online service that supports the protocol.

When considering a new authentication approach, DOCOMO found FIDO to be the best option because it allowed them to:
• Implement in a straightforward manner that aligns with the FIDO ecosystem for long term
sustainability and continuity of authentication as a service
• Utilize the standards in a way that allows different types of authenticators, such as
fingerprint sensors and iris scanners
• Protect the security of users and ecosystem partners with FIDO’s privacy policy that
states biometric data and private cryptographic keys will never leave the user’s device

NTT DOCOMO Overview

In May 2015, NTT DOCOMO began offering FIDO Authentication in four devices (including the world’s first iris scanner equipped smartphone) from multiple OEMs and a FIDOenabled server. With this, DOCOMO became the world’s first mobile network operator to deploy FIDO Authentication throughout its network, delivering simple, strong authentication for DOCOMO’s millions of customers across multiple services with d ACCOUNT, which is an OpenID based account for customers nationwide.

By eliminating passwords with FIDO standards, DOCOMO is able to deliver a superior end-user experience that includes enhanced security features. It is also able to introduce innovative new services and product offerings that can utilize standards-based platforms and devices.

NTT DOCOMO’s FIDO-based Solutions in Practice

Today, DOCOMO has shipped an impressive suite of more than 60 FIDO-enabled d ACCOUNT Authentication compliant Android devices. Of these, DOCOMO has shipped 36 FIDO UAF 1.0 Certified Android devices, while newer devices have been shipped with a pre-installed FIDO UAF 1.1 application to utilize Android’s built-in FIDO capabilities.

In addition, all Touch ID/Face ID-equipped iOS devices are also available for d ACCOUNT Authentication.

Using FIDO specifications, DOCOMO is enabling its customers to securely authenticate themselves with fingerprint or iris biometrics instead of a password with the DOCOMO d ACCOUNT app that incorporates FIDO Authentication. From there, they have secure access to DOCOMO account details, billing and services, including mobile gaming and music platforms d game and d music, and shopping sites such as d delivery and d shopping. DOCOMO also replaced carrier billing password authentication, allowing customers to approve their payments via biometrics built into their device.

In addition to DOCOMO-branded services at d market, various partner services are able to utilize FIDO Authentication through carrier billing payment and as a federated ID utilizing OpenID Connect without any modifications.

DOCOMO also provides FIDO Authentication at scale by allowing other relying parties to utilize its FIDO Certified ondevice biometrics. For example, Mizuho Bank, a major bank in Japan, uses DOCOMO’s FIDO Certified authenticator to allow its own customers to access their mobile banking app.

Enabling a More Secure Future
As a market leader with a clear strategic investment in the FIDO ecosystem, DOCOMO joined the FIDO Alliance as a Board Director in 2015 and has been contributing to the development of FIDO standards and best practices.

DOCOMO is responsible for establishing and chairing the FIDO Deployment-at-Scale Working Group (D@SWG), which was formed to accelerate overall deployments of FIDO solutions by bringing together online service providers and device manufacturers to share lessons learned, produce case studies, and establish industry best practices for deploying FIDO Authentication at internet scale. This group has since spun off three Deployment Working Groups for consumer, enterprise, and government, with DOCOMO chairing the FIDO Consumer Deployment Working Group (CDWG).

In addition, DOCOMO drove the formation of the FIDO Japan Working Group (FJWG) in 2016 and has taken a leadership role as Chair. The FJWG has been driving FIDO adoption in Japan by facilitating communication, cooperation and improved awareness of FIDO Alliance and FIDO Authentication in Japan.

View the NTT DOCOMO Deployment Case Study PDF document here.

The post NTT DOCOMO Deployment Case Study: Your Security, More Simple appeared first on FIDO Alliance.

The post Going Passwordless with Microsoft appeared first on FIDO Alliance.

With ID Intelligence, organization work through a single source to integrate a select set of identification and authentication solutions. These solutions fall into four categories:

• Authenticate with biometrics
• Authenticate with a photo ID and selfie
• Authenticate the data provided by the user (PII validation)
• Authenticate the device data (trusted vs. suspicious)

There is a wide variety of biometric platform providers in the market today. For ID intelligence, Visa partnered with Daon to deliver FIDO-compliant biometrics capabilities. Daon offers both a FIDO-compliant and non-FIDO solution, but only the FIDO-compliant solution is part of the ID Intelligence suite. The appeal of the FIDO protocol came from its alignment with Visa’s approach to authentication which prioritizes how best to protect user data, leverage available data to make better decision, devaluing data when it is compromised and empowering the customer.

Implementation requires an integration of the SDK with the client’s mobile application, which is typically a six to twelve month process, along with on premises hosting of the FIDO server. And while Visa is looking to extend the range of authentication solutions it offers as part of the ID Intelligence suite, the FIDO-compliant biometrics capability is available today.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Visa Case Study appeared first on FIDO Alliance.

The organization decided the Internet was going to be how it managed communications. It made security a priority and leveraged public key infrastructure (PKI). Originally used for communications between the HK government and traders, the technology was eventually opened up to the banking industry.

Since that time, Tradelink’s approach to authentication has continued to evolve leading the organization to FIDO. At first there was a trend to move away from the digital certificates and towards one-time passwords. And approximately four years ago, they began to explore biometrics as a solution in partnership with the banking industry, which helped fund the effort. After examining different technologies and standards worldwide, Tradelink decided to use FIDO-based authetication starting in 2016.

In their estimation, adoption by banks has been strong because no information about the user is sent from mobile devices. And whoever is the service provider, whether the banks or Tradelink, doesn’t need to transmit or store the biometric data which is important to the stringent requirement on data privacy protection in Hong Kong. This together with the adoption of the Public Key Cryptography as the backbone for the FIDO Standard were the other major factors driving banks to rapidly adopt the FIDO standard.

In fact, the appeal of this biometric approach has resonated extremely well in Hong Kong. As evidence, the Hong Kong Government will launch a new initiative for electronic ID in 2020 that will leverage FIDO to authenticate citizens online.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Tradelink Case Study appeared first on FIDO Alliance.

There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.

Over two years ago, Google published the result of their internal implementation of FIDO U2F security keys, and reported impressive outcomes. According to the company,  there has not been a successful phishing attack against their 85,000+ employees  since requiring use of physical security keys. Since the publication of this report, Google has taken a number of other  notable steps with integrating FIDO protocols into their consumer and enterprise authentication flows.

Most recently, Google has released their own U2F hardware security key, known as the Titan Security Key. Titan Security Keys provide both a familiar USB security key and a Bluetooth version, which enables the security key to authenticate via users’ smartphones. While the Titan Security Key is available generally for purchase, it is intended largely for enterprise users, especially those who already use Google’s cloud services.

With the release of Chrome 70, Chrome will support the credential management API specified in the W3C’s recently released WebAuthn standard. This allows web applications to create and use cryptographically attested credentials to authenticate users. Crucially, this lays the foundation for fully passwordless authentication in the browser using a variety of strong credentials, ranging from U2F security keys such as Google’s own Titan key or the one built into Google’s Pixelbooks to local biometric authentication such as Apple’s TouchlD.

Ultimately, the goal is having as many users as possible on phishing-resistant authentication protocols, whether they utilize a security key, an on-device biometric authenticator, or a cryptographic handshake with the users’ mobile device.

This case study originally appeared in the Javelin Strategy & Research’s “The State of Strong Authentication 2019″ Report. 

The post Google Case Study appeared first on FIDO Alliance.

Challenge:

There are 65 million subscribers who use mobile banking services in Korea – most of whom use password-based authentication. Also, there are 37 million people who have been issued accredited certificates in Korea. For account transfers, subscribers generate digital signatures of transaction through an accredited certificate and verify it in their bank for user authentication, integrity and non-repudiation

Like many consumers around the world, Korean mobile banking subscribers who must remember their unique password feel uncomfortable for many reasons.  This includes the fact that inputting a password in mobile device is very difficult and time consuming – and also because passwords are highly susceptible to theft and misuse (such as for account hijacking). Additionally, many Koreans feel uncomfortable using passwords when they use an accredited certificate based on National PKI(NPKI) for digital signing.

As a result, many banks in Korea have sought to implement easy and secure user authentication technology in their online mobile banking service for subscribers, with biometric authentication approaches being a preferred model. However, many banks have hesitated to implement biometric authentication systems that rely upon server-side storage and matching of biometric templates as they present a risk to subscribers of having biometric credentials stolen – which unlike passwords cannot be changed.

Case Study: Kookmin Bank

Kookmin Bank (or KB) is Korea’s leading bank in total assets (2018) and National Customer Satisfaction Index (NCSI) (2017). KB has provided a mobile banking service named ‘KBStar Banking’ since 2003. KBStar Banking supports a variety of authentication mechanisms, but almost subscribers have used password-based authentication and accredited certification in NPKI. Accredited certification has especially been used for digital signing for account transfers and loan applications.

Kookmin Bank has been seeking simpler, stronger authentication for their mobile service due to the fact that many subscribers have expressed displeasure and discomfort with the password-based approach. KB has also needed a solution for accredited certification in NPKI that does not require a password at account transfer or loan application or similar services.

In November of 2016, CrossCert implemented the CrossCertFIDO® FIDO client and authenticator which supports fingerprint, iris and voice biometric authentication in the KBStar mobile banking app. CrossCert also set up the CrossCertFIDO® server in CrossCert’s global secure datacenter which has passed ISMS and Web Trust Audit, and it has connected and operated a relying server in Kookmin Bank.

KB and CrossCert have also provided subscribers with K-FIDO based authentication and digital signing – which eliminates the need for passwords for loan applications, account transfers and similar services. The net outcome is that subscribers no longer need to remember and input a password.

The Result:

There are now about 3.5 million subscribers who are leveraging simpler, stronger FIDO-based authentication across various KBStar mobile banking apps (KBStar banking, KBStar Mini, Liiv, KB Real Estate, KBStar alarm, KB my money, Liiv TTok TTok). In total there are 16 million FIDO transactions per month and there have been over 260 million total FIDO transactions since the launch of the services (as of October 2018).

Many Korean banks (in addition to KB) have implemented FIDO  authentication in their mobile banking apps to provide their subscribers with stronger and more user-friendly authentication. The positive user experiences in banking have set the stage for similar adoption in other industries – e.g., insurance, education and government services.

The post Kookmin Bank Leverages Crosscert FIDO to Provide Easy Biometric Authentication to Its Customers appeared first on FIDO Alliance.

The post White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations appeared first on FIDO Alliance.

Overview

Customer

Aetna is a leading health care organization serving about 37.9 million people.

Challenge

Better authentication for Aetna’s online services customers, partners, and employees. Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and avoid costly fines and lawsuits due to data exposure.

Solutions

Aetna has adopted the FIDO standard for user authentication, using biometrics to verify customers and its next-generation authentication process (behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app).

Results

• Within two weeks of app usage, Aetna was able to set user baselines for behavior.
• Aetna is using the behavioral data to help protect users, feeding it into the FIDO NGA risk engine that continuously inputs data, then ultimately discarding it. The risk engine is protected with six layers of security controls.

The FIDO Solution

Aetna needed user authentication integrated within the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that their data is safe. Aetna is proud to be using the FIDO standard for user authentication, biometrics, and next-generation authentication.

FIDO Delivers

The specifications and certifications from the FIDO Alliance enable an interoperable ecosystem of hardware-, mobile- and biometrics-based authenticators that can be used with many apps and websites. This ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.

“The FIDO Alliance develops user authentication based on open standards so companies like Aetna can adopt the best modern technologies without being tied into their proprietary offerings,” said Brett McDowell, executive director, The FIDO Alliance, “Standards-based architectures can evolve with the market, are less costly to operate and reduce the risk of operating and maintaining end-of-life systems.”

The Details

Challenge

Health care organizations are seeking to evolve user authentication for a new era of risks and threats. Health care data is highly valued by cybercriminals, because it provides rich personal, financial and medical data that can be used for multiple types of fraud, including insurance claims, health savings accounts, flexible savings accounts and more.

Health care organizations must safeguard protected health information (PHI) to ensure compliance with health care regulations such as HIPAA and HITECH and to avoid costly fines and lawsuits due to data exposure.

Health care security leaders also want to avoid account takeovers, where cybercriminals use the personal demographic information to bypass password reset functions. After several major data breaches, including Anthem, Equifax, Yahoo and others, cybercriminals are able to assemble rich profiles they can use to impersonate users at scale. “The reality is that the industry is getting more and more account takeover attempts,” said Jim Routh of Aetna, who serves as the health care company’s chief security officer (CSO). “Binary authentication [using passwords] has reached obsolescence today.”

Creating Phishing-Resistant Security in the Health Care Industry

Solution: Routh wanted to find a better way to authenticate the customers, partners and employees who use Aetna’s online services. The company is rolling out next-generation authentication (NGA) across its mobile and web platforms, taking a two-phased approach to improving the security and usability of its online services.

First, Aetna has adopted the FIDO standard for user authentication, using biometrics, rather than passwords, to verify customers. Biometric capabilities are evolving rapidly and Aetna wanted to empower consumers with choice while using a standard interface across software and devices. In addition, standards-based architectures cost less to operate versus non- standards-based architectures.

FIDO Authentication Future-Proofs and Simplifies User Authentication

“Aetna adopted the FIDO standard for biometric information to create consistency and simplify the entire authentication process,” says Routh. “FIDO insulates us from the implications of the consumer choice or the security functionality that is built into the device. The standard separates the authentication process from an application developer, so regardless of the configuration of mobile carrier, device maker or online service, we can authenticate every time. More importantly, a member’s biometric information never leaves his or her device, ensuring the member’s identity remains protected and uncompromised.”

Developing user authentication based on open standards also “future- proofs” solutions, so that companies like Aetna can adopt the best modern technologies without being tied into a vendor’s proprietary offerings.

Standards-based architectures can evolve and scale with the market, are less costly to operate than proprietary architectures and also reduce the risk of operating and maintaining systems.

Aetna Uses Up to 60 Behaviors to Authenticate Users During Online Sessions

In the second phase of the program, Aetna rolled out its next-generation authentication process: behavior-based security which authenticates users throughout their online sessions on the Aetna Mobile app. Aetna continuously reviews 30 to 60 different behaviors, such as location, time of access, thumbprint and keystroke style, to ensure that the user remains constant. Thus, for example, if an individual handed a phone to a friend, the app would recognize the new user and ask for another form of authentication.

Setting a New Standard for Security with FIDO

The FIDO standard supports the continuous input of behavioral data into the NGA risk engine. It took Aetna one to two weeks of app usage to set user baselines for behavior. Aetna is using the behavioral data solely to help protect users, feeding it into a risk engine and then ultimately discarding it. The risk engine is protected with six layers of security controls.

Aetna understands that user authentication can be part of the overall experience, simplifying engagement while sending a strong message to customers, partners, and employees that Aetna takes protecting their data seriously. Numerous analysts have stated that exceptional information risk management capabilities and practices (which includes multi-factor authentication) can help differentiate a company in an era of constant hacks and data breaches.

“We have an opportunity to improve security, while also significantly improving the way Aetna joins consumers by eliminating the need to remember passwords,” said Routh.

The post Case Study: Aetna Advances User Authentication Based on the FIDO Standard appeared first on FIDO Alliance.

As mobile payment usage increases, mobile service providers are looking for more secure authentication measures for their users. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Customer

BC Card is the largest payment processing company in South Korea. BC Card’s mobile payment app, paybooc, offers both online and offline payment services through registration with a single ID and login using FIDO-based biometric authentication.

Challenge

BC Card wanted a more secure way to authenticate their paybooc users that had a positive impact on the user experience.

Solution

BC Card adopted FIDO Authentication using fingerprint, facial and voice biometrics for paybooc login.

Results

More than 1.2 million users have registered in paybooc using FIDO Authentication, making over 1 million transactions monthly.

THE FIDO SOLUTION

FIDO Authentication is proven to provide simpler, stronger authentication. BC Card’s use of the FIDO standards is helping to ensure their paybooc customers can simply log in with a single gesture with stronger security.

The Details

The Challenge: Security that Doesn’t Compromise Usability

Many online payments services rely on password-based logins, which are the most insecure of authentication methods. Passwords have been cited as the root cause for the vast majority of data breaches in recent years and are often frustrating for consumers because they can be complex and hard-to-remember.

With the rise in biometric authentication services, consumers are coming to realize the convenience of using this method for easy login. Recognizing the opportunity to leverage existing smartphone features such as cameras, BC Card set forward to integrate biometrics into the paybooc application.

The Solution

BC Card wanted to find a better way to authenticate paybooc users for an easier and more secure payment experience. After considering a number of authentication methods, the company launched FIDO-based fingerprint, voice and facial biometric authentication methods for paybooc users.

paybooc was the first system among Korean financial institutions to provide FIDO® Certified voice and facial recognition.

The FIDO-based voice authentication system is built to identify distinct features of the user’s voice, and is able to distinguish between a recording and an authentic voice. The FIDO-based facial authentication system recognizes the user’s facial features through the mobile device camera. Both systems utilize on-device cryptographic credentials and biometric data to protect from remote spoof and other attacks (i.e. the use of sounds, pictures and videos to mimic the user).

Verifying customers has become an important issue for the mobile payments industry, and biometric capabilities are rapidly evolving to create a safer and more reliable service for users. BC Card chose FIDO Authentication as a way for consumers to have secure logins with the ease of standards-based, interoperable authentication utilizing biometrics.

The Result: 1.2 Million Registered Users, 1 Million Monthly Transactions

As of May 2018, over 1.2 million users have registered in paybooc using biometric authentication, making over 1 million transactions monthly. This number is on a steady increase, as users recognize the ease of using biometrics as authentication as well as the extra security FIDO standards provide users. In the payments industry, mobile transactions are on the rise, and paybooc’s FIDO biometric authentication can adapt to any device.

Why FIDO?

BC Card’s decision to adopt the FIDO standard for authentication with biometrics was prompted by a need for stronger authentication for its mobile payments services, but also a seamless user experience. FIDO provides interoperability, ensuring that users can be authenticated on a wide array of device choices regardless of mobile carrier, device maker or online service. FIDO Authentication is a fast and convenient alternative to solutions like passwords, which are often difficult to remember, because it requires only a single gesture to log on.

BC Card also chose FIDO as a safeguard against fraud. Spoofing, phishing and other attacks are a direct concern for any payments service looking to best authenticate users. The FIDO protocols use of on-device cryptographic credentials and biometric data cut out third-party and man-in-the-middle involvement and significantly reduce the chance for hacks or phishing.

This assurance, along with the standards-based architectures that can evolve, scale and change with the market make FIDO Authentication a secure, cost-effective, and simple choice for BC Card paybooc. Many biometric authentication services, including Samsung Pay, are FIDO-based, and the quickly spreading FIDO2 standard is well-known throughout Korea.

The post Case Study: BC Card Provides Advanced User Authentication Based on the FIDO Standard appeared first on FIDO Alliance.

The post Krebs on Security: Google: Security Keys Neutralized Employee Phishing appeared first on FIDO Alliance.

At Google, we prefer to make data-driven decisions based on statistical and empirical verification. This is particularly true when the security and privacy of more than billion users are stake, so we applied this philosophy to verify the practical benefits of deploying FIDO-based Security Keys to our more than 50,000 employees.

Security Keys are devices that make 2-Step Verification for our users easier, and more secure. Our two-year deployment and its analysis provide clear confirmation of how well FIDO’s approach is suited to making strong authentication more usable. During this time, we also integrated support for Security Keys in Google’s Chrome browser and consumer-facing web applications.

The full results of our two-year research study are available in our paper Security Keys: Practical Cryptographic Second Factors for the Modern Web; here’s a synopsis:

What We Set Out To Do

The goal for Security Keys is stronger security, high user satisfaction, and lower support costs. Our system design goals required Security Keys to be easy to use; easy for developers to integrate with a website via simple APIs; non-trackability to ensure privacy; and protect users from password reuse, phishing, and man-in-the-middle attacks. The currently most common version of our Security Key is a tiny dongle that plugs into a computer’s USB port, although the Security Key’s underlying protocols are standardized and can also be used via NFC (contactless) and Bluetooth Low Energy.

Comparing Options

In our evaluation, we compared the standard baseline of password authentication, shown in Table 1, with Security Keys, smartphone-based one-time password (OTP) generators, and Two-Step verification over Short Message System (SMS). Benefits of each were noted for usability, deployability and security. Our evaluation of these technologies and criteria followed The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes by Joseph Bonneau et al.

While no option is perfect, we found that Security Keys provide the strongest security with the best mix of usability and deployability. See details of the comparison in Table 1 of our published study.

Performance Results

Some metrics of performance are pretty hard to quantify, such as ease of use. Our employees have been very happy with the switch to Security Keys and we have received many instances of unsolicited positive feedback. With Security Keys, Google employees (and external consumers using this supported option) now have stronger protection against phishing, including well-known campaigns that have elsewhere resulted in major breaches. However, since the impact of this benefit can only be measured in terms of what did not happen, it’s quite difficult to quantify the result.

We can, however, quantify other benefits: for time spent authenticating with security keys, total average time for the process dropped nearly two-thirds compared to an OTP with SMS (see “Fig. 6” below, from our study). Since an authentication executes in milliseconds, virtually all of this time savings directly benefits users, which may account for the overwhelmingly positive reaction.

With Security Keys, there were zero authentication failures. In our examination of the time period studied, the failure rate for OTP-based authentications was 3%.

Google’s support costs also dropped with Security Keys. Our support organization estimates that we save thousands of hours per year by using Security Keys instead of OTPs for authentication.

Google issued one Security Key per computer or about two Security Keys per employee. With the associated boost in user productivity and lower support cost, we felt this was worth the extra hardware cost. For consumers, multiple vendors provide Security Keys at different prices – some as low as $6 USD. Since consumers need only one device rather than one device per account or site, the resulting cost, in our opinion, approaches the “negligible cost per user” suggested by Bonneau et al.

Conclusion

Our study documents how Security Keys improve 2-SV on the web. They protect users against password reuse, phishing, and man-in-the-middle attacks by generating cryptographic assertions over the website’s URL and properties of the transport layer security (TLS) connection. Security Keys also score favorably in the usability framework established by Bonneau et al. Our analysis of performance benefits in the two-year deployment study measures a significant reduction of sign-in times experienced by users and a reduction in burden on a support organization. Our Security Key deployment is based on the open Security Key protocol as standardized in the FIDO Alliance as U2F. This standard is supported by major browsers and login system of large web service providers such as Google, GitHub and Dropbox. We hope our research serves as an academic foundation to study and improve Security Keys going forward.

Google Case Study: Strong Authentication for Employees and Consumers from FIDO Alliance

The post Case Study: Google Security Keys Work appeared first on FIDO Alliance.

FIDO Alliance: Why did Shinhan Bank decide to offer fingerprint authentication to the Sunny Bank application? What problem were you trying to solve?
Hyoung Woo Kim: Shinhan Bank was looking for a trusted biometric solution to add value for their customers using the Sunny Bank app. We chose this because FIDO has been developed as a biometric standard specifically for the mobile online environment, and biometric-based identity authentication systems through FIDO has been proven to be a secure infrastructure to provide a convenient and strong authentication service. It is used as a second-factor authentication or an easy alternative login of the app (ID/password) in conjunction with the existing banking app.

FIDO Alliance: Please tell us more about Shinhan Bank.
Hyoung Woo Kim: Shinhan Bank was founded in 1897 and operates banking, foreign exchange operations, and trust-services businesses. Its capitalization is 8 trillion KRW ($6.7 billion USD), and the corporation has a turnover of 14.8 trillion KRW ($12.3 billion USD). It has roughly 15,000 employees.

FIDO Alliance: Please describe the new service.
Hyoung Woo Kim: Shinhan Bank has introduced the first FIDO-based biometric authentication technology in the domestic banking services market. This service is a specialized mobile banking platform for Shinhan Bank called ‘Sunny Bank’. By introducing the first non-face-to-face personal identity authentication system, it makes possible a variety of traditional banking services such as opening a new account, deposit and withdrawal inquiry, currency exchange services, MyCar loan applications, and so forth without visiting a bank branch.

FIDO-based fingerprint authentication services with OnePass replace the existing certificate verification system so that the Shinhan Bank app service increases security as well as convenience for its customers in the financial services sector.

FIDO Alliance: Why did Shinhan Bank choose to use FIDO standards for this service?
Hyoung Woo Kim: With the explosive growth in mobile and online banking services, coupled with mandatory regulations changes related to banking and finance security, the need for a new secure authentication method that is also convenient for mobile users was very pressing.

Furthermore, the FIDO protocol is built around the secure storage of biometric information on the local device, with no transmission of the information necessary for authentication. The FIDO system locally verifies the user on his or her own device and then authorizes an encrypted authentication response to the server.

In order to satisfy both security concerns as well as customers’ requirements, building a convenient and secure authentication service that combines identity services with secure authentication is a real challenge. For Shinhan, the FIDO-based OnePass system was a clear choice to answer that challenge.

FIDO Alliance: What partners worked with you to enable FIDO authentication for the service?
Hyoung Woo Kim: FIDO authentication for the service has been built with Raonsecure, which is a leading FIDO-based biometric solution, mobile security, and PKI security technology provider. Raonsecure was one of the first companies to earn FIDO certification and is a leading FIDO authentication technology provider in Korea. Based on strong financial services management know-how, Raonsecure offers a range of technologies for clear understanding and meeting the requirements of Shinhan Bank.

FIDO Alliance: How many customers are now using the Shinhan Bank service and has Shinhan Bank seen any other positive results?
Hyoung Woo Kim: Shinhan Bank serves approximately 23 million customer accounts, which is roughly half the total population of the Republic of Korea (excluding duplicate customers in 2014).

FIDO Alliance: What role do you see FIDO-based authentication playing for Shinhan Bank in the future?
We are currently providing FIDO-based fingerprint authentication login services with enhanced security to an existing simple login method for customers using the Sunny Bank app, and as an additional authentication method. Currently, it is provided for Android and iOS Smartphone devices with the fingerprint authentication function.

Login, signup products, and funds transaction services provided with existing certificate verification will be gradually changed to the FIDO-based biometric solution, such as fingerprint authentication services via the smartphone application. It will maximize security in financial services and customer convenience simultaneously. Other means of authentication are also being planned in order to expand the variety of other authenticator types, such as iris scan and facial recognition-based authentication.

The post Case Study: Korea’s Shinhan Bank Deploys FIDO Authentication appeared first on FIDO Alliance.